BO XI Release 2 - NLTM versus Kerberos Authentication

Similar Messages

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Updating hybrid configuration failed - Kerberos authentication: The network path was not found

  I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
  When I run the Manage Hybrid Configuration, I receive the following error:
  Updating hybrid configuration failed with error
  'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
  path was not found.
  The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
  [1/5/2014 21:21:1] INFO:Opening runspace to
  http://[servername]/powershell?serializationLevel=Full
  [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
  [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
  error occured while using Kerberos authentication: The network path was not found. 
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
     at System.Management.Automation.Runspaces.RunspacePool.Open()
     at System.Management.Automation.RemoteRunspace.Open()
     at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
     at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
     at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
  I have sought help, posting on the forum at community.office365.com -
  http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
  Has anyone else come across this problem running the Hybrid Configuration Wizard?

  Hello Darrell,
  Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
  http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
  looks good.
  As the article states you can run the Exchange BPA and it will check if any of these exist as well.

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

  HI
  we have a sharepoint farm and in domain controller server, this error is in event viewer
  Log Name:      System
  Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
  Date:          9/15/2014 10:44:15 PM
  Event ID:      11
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      XXXAPP01.xxxportal.com
  Description:
  The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
  this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
      <EventID Qualifiers="49152">11</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
      <EventRecordID>131824</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>XXXAPP01.xxxportal.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
      <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
      <Binary>
      </Binary>
    </EventData>
  </Event>
  adil

  Hi adil,
  Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
  Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
  Event ID 11 — Service Principal
  Name Configuration
  Event ID 11 in the System log of domain controllers
  Please also refer to following article and check if can help you.
  The problem with duplicate SPNs
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Kerberos Authentication on Windows 7

  I'm trying to authenticate using Kerberos Authentication. Let's say the server is oracle.mydomain.com, and the kdc is kdc.sub.mydomain.com. Now, I have one machine that is joined to the sub.mydomain.com domain, and another machine which is on a totally different domain thatdomain.com.
  Now, I use this as my krb5.ini file
  [libdefaults]
  default_realm = sub.mydomain.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  [realms]
  sub.mydomain.com = {
  default_domain = sub.mydomain.com
  kdc = kdc.sub.mydomain.com
  and on the machine that is joined to the sub domain, it connects. If I use the same file for the other machine, I get "Status : Failure - Test failed: Peek timed out". Now I tried kinit on that machine "kinit testacct" and it properly gives me "Enter password for [email protected]" to which I enter the password and it gives me "New ticket is stored in cache file C:\Users\testacct\krb5cc_testacct", so that seems to be working, I just don't know why the SQL developer doesn't. Any ideas? Does the machine have to be joined to the domain in order to work with kerberos? FYI I have tried and I can ping the servers and telnet to the oracle server port, so it doesn't seem like a network issue...?
  The machine that is connecting is on the same subnet and uses the same DNS servers, it is just joined to a different domain.
  Edited by: 850630 on Apr 14, 2011 5:38 AM
  Edited by: 850630 on Apr 14, 2011 5:39 AM

  Hi ElementZero,
  I would still try to get thick kerberos working with for example sqlplus before you try thin.
  To help rule out kerberos version incompatibilities and configuration issues.
  For your information: my oracle krb5.conf set in database advanced properties was:
  [libdefaults]
  default_realm = example.COM
  [realms]
  US.ORACLE.COM = {
  kdc = KERBEROS_SERVER.example.com
  default_domain = example.com
  admin_server = KERBEROS_SERVER.example.com
  [domain_realm]
  .us.oracle.com = EXAMPLE.COM
  us.oracle.com = EXAMPLE.COM
  .ie.oracle.com = EXAMPLE.COM
  ie.oracle.com = EXAMPLE.COM
  If you set the kerberos cache entry in database advanced preferences to an new file you will have
  to enter a new password in sqldeveloper.
  Turloch
  -SQLDeveloper Team

• Issue in confuguration of Kerberos authentication

  Hi all
  We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
  In default trace file we got the following info
  i. Key for the principal [email protected] not available in default key     tab
  ii. [Krb5LoginModule] authentication failed
       Unable to obtain password from user
  iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
  iv. LOGIN.FAILED
      Unable to obtain password from user
  1. Why password cannot be obtained from user?
  2. Is there a default keytab other than the one created by the spnego wizard?
  3. If there is one, then can we add the key for [email protected]  in         that file and how?
  4. How can this be resolved?
  Regards
  Deepu

  Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

• Real time collaboration issue after Kerberos authentication setup

  Hi,
  We are using SPNego (kerberos) authentication for our portal (EP 7.0 SP10). When user clicks on log off link, he comes back to the portal home page again so there is no way for the user to log off from the portal. I don't see this as a problem for the users who are not having access to collaboration. But for the users having access to collaboration, when they login to the portal second time (before expiry of the first login session which they couldn't close as log off is not working), they get warning stating
  "You are logged to the same portal already. Real-time collaboration capabilities will not be available in the current portal session until you terminate the other session and then restart this one by refreshing the browser or logging on again."
  How to resolve this?
  Helpful answers will be rewarded
  Regards,
  Chandra

  Most people set the logoff link to a URL which contains soem javascript which closes the browser.
  Paul

• Question about Java GSS-Kerberos authentication

  Hi,
  I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
  We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
  it says:
  "You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
  Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
  Any links detailing the procedure would be of great help.
  Thanks,
  shetty2k

  We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
  What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
  any help is greatly appreciated.
  R.

• Remotely adding a Kerberos Authenticated printer

  Hi there, I am deploying a printer Via MCX which works fine. however the machines are using an LDAP kerberos authentication setup. If i manually set kerberos on the machine using the following steps it works fine.
  1. Open the URL "http://localhost:631/printers" in Safari.
  2. For each printer you wish to share using Kerberos:
  3. Click the printer name in the list.
  4. Choose "Set Default Options" from the "Administration" pop-up menu.
  5. Click "Policies".
  6. Choose "kerberos" from the "Operation Policy:" pop-up menu.
  7. Click "Set Default Options".
   The problem i have is I can't do this on each machine manually.
  This setting is not held in the PPD for that printer. I have set the option, copied the PPD from /etc/cups/ppd and then created a new printer using this PPD but the option is not enabled. I can see that when you enable this option it is writing to and then deleting the following files
  /var/spool/cups/cache/printername.png
  /var/spool/cups/cache/printername.data.N
  /var/spool/cups/cache/printername.png-psHg
  /var/spool/cups/cache/printername.data I am sure this is what is setting the option but i can't see anything in lpadmin or lpoptions that would allow this to be set via the command line. Any Ideas?

  I have found the Apple whitepaper on Enterprise printing and this command is supposed to enable kerberos.
  However when you run it and then check through the CUPS interface kerberos is not enabled.
  first you get the queue name from this
  lpstat -a
  lpadmin -p printername -o auth-info-required=negotiate
  Now according to the white paper the process changed from 10.5 to 10.6
  I am wondering if anyone knows if things have changed from 10.6 to 10.7

• Kerberos Authentication DB in Oracle iPlanet Web Server

  [Here is a blog about how to configure Kerberos Authentication Database in Oracle iPlanet Web Server on Solaris 10 update 8 |http://blogs.sun.com/meena/entry/using_kerberos_as_authentication_database]

  As long as the application server that LCDS is deployed in is supported, it doesn't  matter which webserver is being used.
  HTH
  Kumaran

• Any document explaining Risks involved in assigning "Delegation Permission" to a computer for Kerberos Authentication

  Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
  Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
  Devesh

  Hi Devesh,
  “The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
  intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
  Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
  Quoted from this article below:
  Using Kerberos for SharePoint Authentication
  http://technet.microsoft.com/en-us/magazine/ee914605.aspx
  From my point of view, as long as the intermediary account can be trusted, then it is safe.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• EP 6.0 SP2 + external kerberos authentication

  We recently installed EP 6.0 SP2 Patch 4 HF 6 on an Aix 5.2 unix platform. We would like to create our own authentication scheme that uses a login module written in Java that does kerberos authentication externally. From reading the Portal Security Guide it appears that this is a doable approach. Has anyone actually done this with the portal on a unix platform? Which Java kerberos library implementation did you use?
  Thanks in advance.
  Sincerely,
  Steven McElwee, Duke University

  Hi,
  as mentioned above, you need a second server. This one could be Windows. People use this architecture in productive environments.
  If this does not work for you, you need to go the second approach: Custom JAAS login module using the WebCallback plus a kerberos library.
  Here some links:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module presentation
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module exercises
  Best regards,
  Oliver

• Kerberos authentication prompting for credentials in Sharepoint 2013

  Hello all,
  I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
  Following the steps located in
  http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
  credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
  site? Here’s my situation:
  Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
  using Kerberos.
  However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
  As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
  I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
  Thanks
  Bill

  Thanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
  Thanks again,
  Bill